From dd57ee000d2241274ef46ad5e08802c35ba0eb2c Mon Sep 17 00:00:00 2001
From: Mariusz Ziulek <mzet@owasp.org>
Date: Sat, 21 Feb 2015 23:31:36 +0100
Subject: [PATCH] kex: bail out on rubbish in the incoming packet

CVE-2015-1782

Bug: http://www.libssh2.org/adv_20150311.html
---
 src/kex.c | 73 +++++++++++++++++++++++++++++++++++----------------------------
 1 file changed, 41 insertions(+), 32 deletions(-)

diff --git a/src/kex.c b/src/kex.c
index fa4c4e1..ad7498a 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -1547,10 +1547,34 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
 
 /* TODO: When in server mode we need to turn this logic on its head
  * The Client gets to make the final call on "agreed methods"
  */
 
+/*
+ * kex_string_pair() extracts a string from the packet and makes sure it fits
+ * within the given packet.
+ */
+static int kex_string_pair(unsigned char **sp,   /* parsing position */
+                           unsigned char *data,  /* start pointer to packet */
+                           size_t data_len,      /* size of total packet */
+                           size_t *lenp,         /* length of the string */
+                           unsigned char **strp) /* pointer to string start */
+{
+    unsigned char *s = *sp;
+    *lenp = _libssh2_ntohu32(s);
+
+    /* the length of the string must fit within the current pointer and the
+       end of the packet */
+    if (*lenp > (data_len - (s - data) -4))
+        return 1;
+    *strp = s + 4;
+    s += 4 + *lenp;
+
+    *sp = s;
+    return 0;
+}
+
 /* kex_agree_methods
  * Decide which specific method to use of the methods offered by each party
  */
 static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data,
                              unsigned data_len)
@@ -1566,42 +1590,27 @@ static int kex_agree_methods(LIBSSH2_SESSION * session, unsigned char *data,
 
     /* Skip cookie, don't worry, it's preserved in the kexinit field */
     s += 16;
 
     /* Locate each string */
-    kex_len = _libssh2_ntohu32(s);
-    kex = s + 4;
-    s += 4 + kex_len;
-    hostkey_len = _libssh2_ntohu32(s);
-    hostkey = s + 4;
-    s += 4 + hostkey_len;
-    crypt_cs_len = _libssh2_ntohu32(s);
-    crypt_cs = s + 4;
-    s += 4 + crypt_cs_len;
-    crypt_sc_len = _libssh2_ntohu32(s);
-    crypt_sc = s + 4;
-    s += 4 + crypt_sc_len;
-    mac_cs_len = _libssh2_ntohu32(s);
-    mac_cs = s + 4;
-    s += 4 + mac_cs_len;
-    mac_sc_len = _libssh2_ntohu32(s);
-    mac_sc = s + 4;
-    s += 4 + mac_sc_len;
-    comp_cs_len = _libssh2_ntohu32(s);
-    comp_cs = s + 4;
-    s += 4 + comp_cs_len;
-    comp_sc_len = _libssh2_ntohu32(s);
-    comp_sc = s + 4;
-#if 0
-    s += 4 + comp_sc_len;
-    lang_cs_len = _libssh2_ntohu32(s);
-    lang_cs = s + 4;
-    s += 4 + lang_cs_len;
-    lang_sc_len = _libssh2_ntohu32(s);
-    lang_sc = s + 4;
-    s += 4 + lang_sc_len;
-#endif
+    if(kex_string_pair(&s, data, data_len, &kex_len, &kex))
+       return -1;
+    if(kex_string_pair(&s, data, data_len, &hostkey_len, &hostkey))
+       return -1;
+    if(kex_string_pair(&s, data, data_len, &crypt_cs_len, &crypt_cs))
+       return -1;
+    if(kex_string_pair(&s, data, data_len, &crypt_sc_len, &crypt_sc))
+       return -1;
+    if(kex_string_pair(&s, data, data_len, &mac_cs_len, &mac_cs))
+       return -1;
+    if(kex_string_pair(&s, data, data_len, &mac_sc_len, &mac_sc))
+       return -1;
+    if(kex_string_pair(&s, data, data_len, &comp_cs_len, &comp_cs))
+       return -1;
+    if(kex_string_pair(&s, data, data_len, &comp_sc_len, &comp_sc))
+       return -1;
+
     /* If the server sent an optimistic packet, assume that it guessed wrong.
      * If the guess is determined to be right (by kex_agree_kex_hostkey)
      * This flag will be reset to zero so that it's not ignored */
     session->burn_optimistic_kexinit = *(s++);
     /* Next uint32 in packet is all zeros (reserved) */
-- 
2.1.4